This is a contributed piece by John Ferron, CEO at HEAT Software
What the recent spate of DDoS attacks carried out by devices infected with Mirai malware has shown us, is that security too often plays a back seat to commercial interests when it comes to IoT. An estimated 100,000 IoT devices were infected with Mirai – malware which scans the internet for products protected by factory default or hard-coded usernames and passwords. Both are child’s play to compromise, allowing the black hats to build botnets to launch attacks that have taken some of the biggest names on the web offline, and in one case an entire African nation.
One Chinese manufacturer at the centre of the IoT security storm is Hangzhou Xiongmai Technology, whose DVRs and internet-connected camera models are thought to have been compromised en masse by Mirai. Although it patched its products in September 2015, the firm agreed in October to recall millions of devices from before that date which don’t require users to change the default password the first time they power up.
The problem is that security is often an afterthought for IoT providers keen to get their products on the market in what is an increasingly competitive space. Default or hardcoded credentials should never be allowed in these products. Other common mistakes according to the OWASP Top 10 list include unsigned firmware, insecure mobile and cloud interfaces and devices with too many network ports left open. That OWASP guidance should be compulsory reading for all IoT manufacturers.
While many may think consumers are more bothered about functionality than security, that’s not necessarily the case. A recent global study from the non-profit prpl Foundation actually found that 60% of consumers believe the end user should take responsibility for security in the smart home. What’s more, 42% said they’d pay a premium for more secure devices, while a third (32%) said security concerns are actually preventing them from buying more.
A special US government meeting in October with major industry players could also see some positive outcomes: namely, a new labelling scheme to show consumers how long manufacturers will support security updates on their products.
But that’s all in the future. In the meantime, every IoT device that makes its way into the workplace via IT consumerisation represents an entry point into the corporate network that could introduce cybersecurity risk.
As Mirai has shown, cybercriminals are more than capable of exploiting any flaws to their advantage. Last year there was over 16,000 software vulnerabilities in nearly 2,500 products from hundreds of vendors. This number will only grow as the IoT does, giving the black hats possible access to sensitive corporate data, or potentially an easy-way to infect key systems with ransomware. Both could lead to huge losses from industry fines, legal costs, departing customers and brand damage.
Gone are the days when IT leaders could dictate to employees what technologies they should be using at work. Any attempt to mandate will simply drive use of non-approved tech underground, creating additional “shadow IT” risk. Instead, CISOs should look to leverage the power of the service desk – already positioned on the IT frontline – to help provide visibility into the corporate endpoint environment.
Next it’s about providing those service management teams with the right tools. Traditional AV and blacklisting products are not enough to protect against the avalanche of threats facing dynamic IT environments. A unified system of layered protection is needed, beginning with automated patching of any device connecting to the network. It’s important here to find a provider that supports as broad a range of device models, OS versions and manufacturers as possible – to cover the full breadth of IoT.
App whitelisting can then be added on top to combat zero day threats. Add encryption for further protection, so any corporate data that might end up in the hands of a hacker will still be safe. Device control and Enterprise Mobility Management (EMM) will then help IT to remotely manage and push policy down to every mobile and removable media device.
As IoT continues to grow apace in the enterprise, automation in endpoint security is a final must-have to free-up stretched IT staff to concentrate efforts on the most critical tasks.
Phil Muncaster reports on China and beyond